Apple's Keychain: The solution and the problem with password managers

Summary:One thing Apple is doing right — partly — is the password manager functionality built into Keychain in iOS 7 and Mavericks. Nobody does it completely right, and right now it's probably impossible to do so. But there is a way to make it all work.

Everyone should be using a password manager. I use Lastpass, but there are other respected ones. Now Apple is baking the password manager directly into the operating system. This would be great if only they weren't being so Apple about it.

In iOS 7 and OS X 10.9 (Mavericks) Apple created iCloud Keychain, a password manager which stores credentials in the user's iCloud storage, and APIs for iOS and Mac developers to use for their programs to support it. But it's Apple-only. To see why that's a problem, here's some more about password managers.

Ideally, it would be good if passwords went away, but that's like saying world peace would be good — ain't going to happen any time soon. So if we are going to have to live with passwords we need to use them securely. There are two main things end users do wrong with passwords: They use weak passwords and they reuse passwords on multiple sites. A secure user would have unique, strong passwords (like "34cZoHdMk4XI") for every login they have.

This is where password managers show both their strengths and their weaknesses: they allow us to use passwords responsibly by having unique, strong passwords for each logon we have. They can even integrate two-factor authentication to make the login even stronger. But because the passwords themselves become unusable directly by humans (who could actually remember all those passwords?), it's necessary for the password manager to work everywhere you might need it. Nobody really does this well, and in some ways it's impossible to do.

If you're on some arbitrary friend's computer working at a location where you can't install software, or using a system for which your password manager has no client, you can't get at the password manager easily. This problem shows up most painfully on mobile devices.

As a general rule, third party password managers can't fill userids and passwords into mobile apps, not even on Android. The OS doesn't permit it. There are good reasons for this which I won't go into, but they don't negate the fact that it's a problem. The way Lastpass (and, I imagine, the others) handle the problem is threefold:

First, they provide their own web browser integrated with their Lastpass client (Lastpass's is based on Dolphin; RoboForm also has addons for Dolphin and Firefox for Android). The custom browser usually works well enough and Lastpass tells me they're happy with it, but I run into problems fairly regularly, usually where Dolphin isn't rendering a page in a way that's readable on my phone.

The solution there is the second method: use another browser, probably a better-supported one like Chrome, and use the Lastpass app to access the usernames and passwords from your password database, a secure cloud storage for your usernames and passwords. You can copy these values to the clipboard so as to paste them into the app or browser. Likewise on a conventional computer you can access your Vault through a web browser. This works, but slowly, in multiple steps, and it's a big pain.

A third method, used by Lastpass on Android, is to provide a Lastpass-aware keyboard as an Android input method. This keyboard has a Lastpass key on it that can call up the list of logins from the Vault (their password database) appropriate for the app or site. I have been trying, without success, to get this working. In fairness to Lastpass, my support request is still pending, but it's not going to make much of a difference if I get it working because the keyboard is primitive. I use Swype and love it, and having to juggle multiple keyboards is just too much to keep track of. To me it's an overall loss in efficiency. Lastpass knows this; they are trying to work with the major third party software keyboard companies to provide for integration.

There's sort of a fourth method, implemented by 1Password, to encourage app authors to put a button on their login screens which switches over to 1Password and searches for the appropriate login. But that's all it does. It can't switch back to the app or auto-fill fields, so the user has to copy the credentials to the clipboard, manually go through the home screen back to the app and paste them. Lame.

Nobody gets it right. Apple's approach hints at the right way to do it, but it doesn't go far enough. Here's the right way to do it: Operating systems need, as Apple's do, to treat the password manager as an important, trusted part of the operating system with appropriate access to applications where necessary. But the password managers need to be pluggable, with defined interfaces so that all can do the things they need to do, such as fill username, password and other form fields, like credit card numbers.

There's no reason why an OS vendor like Apple shouldn't be able to make their own, but if it were to conform to the same interfaces then the user could choose a third party alternative. Perhaps Apple doesn't want this because it would make it easier for their users to use non-Apple products.

The pluggable password manager approach should work well on any operating system, including Windows. Even a really cloud-oriented OS, like Chrome OS, should be able to handle it.

These programs need to be trustworthy. A special code signing system could be created where password managers need to be certified and approved for installation in the OS. Such a system could also provide for user override to install any old password manager, with clear warnings, if the OS vendor wants to allow it. Android might, iOS never would.

The main reason my proposal probably won't happen is that mobile OS vendors, mainly Apple and Microsoft, are very concerned with controlling the basic user interface elements of the OS. It's the same reason why Apple and Microsoft don't allow installable keyboards.

It's cool that there are so many different and competitive ecosystems these days: Android, Windows, OS X, iOS, Chrome, even Kindle is really separate, and there are others. Passwords are one of the top problems with all this diversity.

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech.
Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec...
Full Bio